Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The gang behind the Atlanta city shutdown and other attacks is selecting victims carefully and offering volume discounts to unlock whole organizations.

Ransomware has lately lost its status as the queen of the cybercrime prom, but a new iteration of the nefarious SamSam extortion code shows that it can still make a bid to be sparkly and attention-getting.

The latest version of SamSam has taken the malware road less traveled, ditching widespread spam campaigns for unusually targeted, whole-company attacks. According to an analysis by Sophos, in a reversal of previous tactics, SamSam operators are now launching thousands of copies of the ransomware at once into individual organizations, each of which has been carefully selected.

To effect the “whole-company” play, SamSam uses various vulnerability exploits rather than phishing and spam to gain access to a victim company’s network; it’s also been seen using brute-force tactics against weak Remote Desktop Protocol (RDP) passwords, Sophos said. After gaining a foothold, SamSam follows its known pathology, seeking out additional victims via network-mapping and stealing credentials – a tactic that Cisco Talos analysts noticed back in January. Once the potential targets are discovered, the attackers manually deploy SamSam on the selected systems, using tools like PSEXEC and batch scripts.

After they’ve infiltrated a target company and saturated it with the malware, the operators are also mixing things up when it comes to business tactics: They’re offering a “volume discount” to clean all of those machines.

In Sophos’ examination, the volume discount works out to about $45,000 worth of Bitcoin at current exchange rates.

“We don’t know why the price is $45,000,” said Sophos researcher Paul Ducklin, in a post. “For all we know, that number was picked because it’s below certain reporting thresholds, or because the crooks want to pick the highest value they dare without getting into corporate board-level approval territory. All we can say is that $45,000 is a lot of money.”

If companies don’t want the so-called volume discount, they can pay per host, restoring select machines by sending the specific host names to the operators.

As far as how well business is going for the SamSam gang, Talos reported that a SamSam-affiliated Bitcoin wallet address in January had received 30.4 BTC. A second address, active from mid-January, has received 23 payments as of April, Sophos said. Between the two, the criminals have raked in a total income of 68.1 Bitcoin to date, which works out to about $632,199 at the latest exchange rate.

The good news is that basic security hygiene, like patching, segmenting the network, having backups in place and enforcing policy on privileged account access can all help protect against SamSam. Companies should take note and take the time to build a ransomware plan, because the stakes are high: While they shouldn’t pay the ransom, victims are sure to pay in one way or another.

The city of Atlanta, a high-profile recent SamSam victim, ponied up $2.7 million to security firms and consultants to help it get its machines and data back. The attack caused a complete shutdown for days of the Georgia capital’s online systems, which support the police department, city courts, parts of the airport (the world’s busiest) and more. Attackers asked the city to pay $6,800 to unlock each computer, which translates into a whopping $51,000 for all of the needed keys – but the city declined to pay. Regardless, the event was costly – and some systems are still inaccessible, according to reports.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.